Cloud security | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have discovered a loophole impacting Google Kubernetes Engine (GKE) that could be potentially exploited by threat actors with a Google account to take control of a Kubernetes cluster. The critical shortcoming has been codenamed Sys:All by cloud security firm Orca. As many as 250,000 active GKE clusters in the wild are estimated to be susceptible to the attack vector. In a report shared with The Hacker News, security researcher Roi Nisimi said it "stems from a likely widespread misconception that the system:authenticated group in Google Kubernetes Engine includes only verified and deterministic identities, whereas in fact, it includes any Google authenticated account (even outside the organization)." The system:authenticated group is a special group that includes all authenticated entities, counting human users and service accounts. As a result, this could have serious consequences when administrators inadvertently bestow it with overly permis

A 29-year-old Ukrainian national has been arrested in connection with running a "sophisticated cryptojacking scheme," netting them over $2 million (€1.8 million) in illicit profits. The person, described as the "mastermind" behind the operation, was apprehended in Mykolaiv, Ukraine, on January 9 by the National Police of Ukraine with support from Europol and an unnamed cloud service provider following "months of intensive collaboration." "A cloud provider approached Europol back in January 2023 with information regarding compromised cloud user accounts of theirs," Europol  said , adding it shared the intelligence with the Ukrainian authorities. The Cyber Police of Ukraine, in a separate announcement, said the suspect "infected the servers of a well-known American company with a miner virus" at least since 2021, using custom brute-force tools to infiltrate 1,500 accounts of the firm. "Using the compromised accounts, the hacker gained access to the management of the service," the a

As a vCISO, you are responsible for your client's cybersecurity strategy and risk governance. This incorporates multiple disciplines, from research to execution to reporting. Recently, we published a comprehensive playbook for vCISOs, "Your First 100 Days as a vCISO – 5 Steps to Success" , which covers all the phases entailed in launching a successful vCISO engagement, along with recommended actions to take, and step-by-step examples.  Following the success of the playbook and the requests that have come in from the MSP/MSSP community, we decided to drill down into specific parts of vCISO reporting and provide more color and examples. In this article, we focus on how to create compelling narratives within a report, which has a significant impact on the overall MSP/MSSP value proposition.  This article brings the highlights of a recent guided workshop we held, covering what makes a successful report and how it can be used to enhance engagement with your cyber security clients.

A new Python-based hacking tool called  FBot  has been uncovered targeting web servers, cloud services, content management systems (CMS), and SaaS platforms such as Amazon Web Services (AWS), Microsoft 365, PayPal, Sendgrid, and Twilio. "Key features include credential harvesting for spamming attacks, AWS account hijacking tools, and functions to enable attacks against PayPal and various SaaS accounts," SentinelOne security researcher Alex Delamotte  said  in a report shared with The Hacker News. FBot is the latest addition to the list of cloud hacking tools like  AlienFox, GreenBot  (aka Maintance),  Legion , and  Predator , the latter four of which share code-level overlaps with AndroxGh0st. SentinelOne described FBot as "related but distinct from these families," owing to the fact that it does not reference any source code from AndroxGh0st, although it exhibits similarities with Legion, which first came to light last year. The end goal of the tool is to hijack cloud, SaaS, and

Collaboration is a powerful selling point for SaaS applications. Microsoft, Github, Miro, and others promote the collaborative nature of their software applications that allows users to do more. Links to files, repositories, and boards can be shared with anyone, anywhere. This encourages teamwork that helps create stronger campaigns and projects by encouraging collaboration among employees dispersed across regions and departments.  At the same time, the openness of data SaaS platforms can be problematic. A  2023 survey  by the Cloud Security Alliance and Adaptive Shield found that 58% of security incidents over the last two years involved data leakage. Clearly, sharing is good, but data sharing must be put in check. Most SaaS applications have mechanisms to control sharing. These tools are quite effective in ensuring that company resources aren't open for display on the public web. This article will look at three common data leakage scenarios and recommend best practices for safe sh

Security stakeholders have come to realize that the prominent role the browser has in the modern corporate environment requires a re-evaluation of how it is managed and protected. While not long-ago web-borne risks were still addressed by a patchwork of endpoint, network, and cloud solutions, it is now clear that the partial protection these solutions provided is no longer sufficient. Therefore, more and more security teams are now turning to the emerging category of purpose-built enterprise browsers as the answer to the browser's security challenges. However, as this security solution category is still relatively new, there is not yet an established set of browser security best practices, nor common evaluation criteria.  LayerX, the User-First Enterprise Browser Extension, is addressing security teams' need with the downable  Enterprise Browser Buyer's Guide , which guides its readers through the essentials of choosing the best solution and provides them with an actionable

Google Cloud has addressed a medium-severity security flaw in its platform that could be abused by an attacker who already has access to a Kubernetes cluster to escalate their privileges. "An attacker who has compromised the  Fluent Bit  logging container could combine that access with high privileges required by  Anthos Service Mesh  (on clusters that have enabled it) to escalate privileges in the cluster," the company  said  as part of an advisory released on December 14, 2023. Palo Alto Networks Unit 42, which discovered and reported the shortcoming, said adversaries could weaponize it to carry out "data theft, deploy malicious pods, and disrupt the cluster's operations." There is no evidence that the issue has been exploited in the wild. It has been addressed in the following versions of Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM) - 1.25.16-gke.1020000 1.26.10-gke.1235000 1.27.7-gke.1293000 1.28.4-gke.1083000 1.17.8-asm.8 1.18.

Threat actors can take advantage of Amazon Web Services Security Token Service (AWS STS) as a way to infiltrate cloud accounts and conduct follow-on attacks. The service enables threat actors to impersonate user identities and roles in cloud environments, Red Canary researchers Thomas Gardner and Cody Betsworth  said  in a Tuesday analysis. AWS STS is a  web service  that enables users to request temporary, limited-privilege credentials for users to access AWS resources without needing to create an AWS identity. These STS tokens can be valid  anywhere from 15 minutes to 36 hours . Threat actors can steal long-term IAM tokens through a variety of methods like malware infections, publicly exposed credentials, and phishing emails, subsequently using them to determine roles and privileges associated with those tokens via API calls. "Depending on the token's permission level, adversaries may also be able to use it to create additional IAM users with long-term AKIA tokens to e

Cybersecurity researchers have discovered a new variant of an emerging botnet called  P2PInfect  that's capable of targeting routers and IoT devices. The latest version, per Cado Security Labs, is compiled for Microprocessor without Interlocked Pipelined Stages ( MIPS ) architecture, broadening its capabilities and reach. "It's highly likely that by targeting MIPS, the P2PInfect developers intend to infect routers and IoT devices with the malware," security researcher Matt Muir  said  in a report shared with The Hacker News. P2PInfect, a Rust-based malware, was  first   disclosed  back in July 2023, targeting unpatched Redis instances by exploiting a critical Lua sandbox escape vulnerability ( CVE-2022-0543 , CVSS score: 10.0) for initial access. A subsequent analysis from the cloud security firm in September  revealed  a surge in P2PInfect activity, coinciding with the release of iterative variants of the malware. The new artifacts, besides attempting to condu

Cybersecurity researchers are warning of publicly exposed Kubernetes configuration secrets that could put organizations at risk of supply chain attacks. "These encoded Kubernetes configuration secrets were uploaded to public repositories," Aqua security researchers Yakir Kadkoda and Assaf Morag  said  in a new research published earlier this week. Some of those impacted include two top blockchain companies and various other fortune-500 companies, according to the cloud security firm, which leveraged the GitHub API to fetch all entries containing .dockerconfigjson and .dockercfg types that  store credentials  for accessing a container image registry. Of the 438 records that potentially held valid credentials for registries, 203 records – about 46% – contained valid credentials that provided access to the respective registries. Ninety-three of the passwords were manually set by individuals, as opposed to the 345 that were computer-generated. "In the majority of cases, these creden

The  Kinsing  threat actors are actively exploiting a critical security flaw in vulnerable Apache ActiveMQ servers to infect Linux systems with cryptocurrency miners and rootkits. "Once Kinsing infects a system, it deploys a cryptocurrency mining script that exploits the host's resources to mine cryptocurrencies like Bitcoin, resulting in significant damage to the infrastructure and a negative impact on system performance," Trend Micro security researcher Peter Girnus  said . Kinsing  refers to a  Linux malware  with a history of targeting misconfigured containerized environments for cryptocurrency mining, often utilizing compromised server resources to generate illicit profits for the threat actors. The group is also known to quickly adapt its tactics to include newly disclosed flaws in web applications to breach target networks and deliver crypto miners. Earlier this month, Aqua  disclosed  the threat actor's attempts to exploit a Linux privilege escalation fla

In 2023, the cloud isn't just a technology—it's a battleground. Zenbleed, Kubernetes attacks, and sophisticated APTs are just the tip of the iceberg in the cloud security warzone. In collaboration with the esteemed experts from Lacework Labs, The Hacker News proudly presents an exclusive webinar: ' Navigating the Cloud Attack Landscape: 2023 Trends, Techniques, and Tactics .' Join us for an insightful session led by Jose Hernandez of Lacework Labs, where we dissect and analyze the year's most pressing cloud security issues. This webinar is not just about theory; it's a practical guide filled with actionable strategies to shield your organization from advanced threats in the cloud.  Highlights include: Kubernetes Security Breaches:  Explore the surge in Kubernetes-related vulnerabilities and the concerning increase in administrative plane abuses. Zenbleed in Focus:  Understand the far-reaching impact of the Zenbleed vulnerability and how Lacework Labs is

In 2023, the global average cost of a data breach reached  $4.45 million . Beyond the immediate financial loss, there are long-term consequences like diminished customer trust, weakened brand value, and derailed business operations. In a world where the frequency and cost of data breaches are skyrocketing, organizations are coming face-to-face with a harsh reality: traditional cybersecurity measures might not be cutting it anymore.  Against this backdrop, businesses must find ways to strengthen their measures to safeguard precious data and critical assets. At the heart of this shift lies a key strategy: continuous monitoring. Understanding Continuous Security Monitoring in Cybersecurity Continuous monitoring is a dynamic approach that encompasses several techniques to fulfil a multi-layered defense strategy. These techniques can include:  Risk-Based Vulnerability Management (RBVM): Continuous vulnerability assessments across your network with remediation prioritization based on

Cybersecurity researchers have developed what's the first fully undetectable cloud-based cryptocurrency miner leveraging the Microsoft  Azure Automation  service without racking up any charges. Cybersecurity company SafeBreach said it discovered three different methods to run the miner, including one that can be executed on a victim's environment without attracting any attention. "While this research is significant because of its potential impact on cryptocurrency mining, we also believe it has serious implications for other areas, as the techniques could be used to achieve any task that requires code execution on Azure," security researcher Ariel Gamrian  said  in a report shared with The Hacker News. The study mainly set out to identify an "ultimate crypto miner" that offers unlimited access to computational resources, while simultaneously requiring little-to-no maintenance, is cost-free, and undetectable. That's where Azure Automation comes in.

Atlassian has warned of a critical security flaw in Confluence Data Center and Server that could result in "significant data loss if exploited by an unauthenticated attacker." Tracked as  CVE-2023-22518 , the vulnerability is rated 9.1 out of a maximum of 10 on the CVSS scoring system. It has been described as an instance of "improper authorization vulnerability." All versions of Confluence Data Center and Server are susceptible to the bug, and it has been addressed in the following versions - 7.19.16 or later 8.3.4 or later 8.4.4 or later 8.5.3 or later, and 8.6.1 or later That said, the Australian company emphasized that "there is no impact to confidentiality as an attacker cannot exfiltrate any instance data." No other details about the flaw and the exact method by which an adversary can take advantage of it have been made available, likely owing to the fact that doing so could enable threat actors to devise an exploit. Atlassian is also u

New findings have shed light on what's said to be a lawful attempt to covertly intercept traffic originating from jabber[.]ru (aka xmpp[.]ru), an  XMPP -based instant messaging service, via servers hosted on Hetzner and Linode (a subsidiary of Akamai) in Germany. "The attacker has issued several new TLS certificates using Let's Encrypt service which were used to hijack encrypted  STARTTLS connections  on port 5222 using transparent [man-in-the-middle] proxy," a security researcher who goes by the alias ValdikSS  said  earlier this week. "The attack was discovered due to the expiration of one of the MiTM certificates, which haven't been reissued." Evidence gathered so far points to the traffic redirection being configured on the hosting provider network, ruling out other possibilities, such as a server breach or a spoofing attack. The wiretapping is estimated to have lasted for as long as six months, from April 18, 2023, although it's been confi

VMware has released security updates to address a critical flaw in the vCenter Server that could result in remote code execution on affected systems. The issue, tracked as  CVE-2023-34048  (CVSS score: 9.8), has been described as an out-of-bounds write vulnerability in the implementation of the  DCE/RPC protocol . "A malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to remote code execution," VMware  said  in an advisory published today. Credited with discovering and reporting the flaw is Grigory Dorodnov of Trend Micro Zero Day Initiative. VMware said that there are no workarounds to mitigate the shortcoming and that security updates have been made available in the following versions of the software - VMware vCenter Server 8.0 (8.0U1d or 8.0U2) VMware vCenter Server 7.0 (7.0U3o) VMware Cloud Foundation 5.x and 4.x Given the criticality of the flaw and the lack of temporary mitigations, the virtualization

Atlassian has released fixes to contain an actively exploited critical zero-day flaw impacting publicly accessible Confluence Data Center and Server instances. The vulnerability, tracked as  CVE-2023-22515 , is remotely exploitable and allows external attackers to create unauthorized Confluence administrator accounts and access Confluence servers. It does not impact Confluence versions prior to 8.0.0. Confluence sites accessed via an atlassian.net domain are also not vulnerable to this issue. The enterprise software services provider  said  it was made aware of the issue by "a handful of customers." It has been addressed in the following versions of Confluence Data Center and Server - 8.3.3 or later 8.4.3 or later, and 8.5.2 (Long Term Support release) or later The company, however, did not disclose any further specifics about the nature and scale of the exploitation, or the root cause of the vulnerability. Customers who are unable to apply the updates are advised

LUCR-3 overlaps with groups such as Scattered Spider, Oktapus, UNC3944, and STORM-0875 and is a financially motivated attacker that leverages the Identity Provider (IDP) as initial access into an environment with the goal of stealing Intellectual Property (IP) for extortion. LUCR-3 targets Fortune 2000 companies across various sectors, including but not limited to Software, Retail, Hospitality, Manufacturing, and Telecoms. LUCR-3 does not rely heavily on malware or even scripts; instead, LUCR-3 expertly uses victims' own tools, applications, and resources to achieve their goals. At a high level, Initial Access is gained through compromising existing identities in the IDP (Okta: Identity Cloud, Azure AD / Entra, Ping Identity: PingOne). LUCR-3 uses SaaS applications such as document portals, ticketing systems, and chat applications to learn how the victim organization operates and how to access sensitive information. Using the data they gained from reconnaissance within the SaaS